A security firm has announced a one million dollar bounty in reward for anyone who submits exploits and jailbreaks for Apple’s iOS 9 mobile operating system.
In a blog post published on Monday, Zerodium officially unveiled “The Million Dollar iOS 9 Bug Bounty”.
“Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” the post reads. “But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.”
Zerodium is a relatively recent security startup. It was founded this past summer by Chaouki Bekrar, a merchant of zero-day exploits. Bekrar is also the founder of Vupen, a French hacking firm that not unlike Hacking Team develops intrusion software solutions and sells it to governments around the world.
The security firm has stated its willingness to pay out a total of $3 million (or three $1 million dollar prizes) in return for iOS 9 exploits and jailbreaks. To be eligible, entrants must develop an initial attack vector that meets the following criteria:
- a web page targeting the mobile browser (Mobile Safari OR Google Chrome) in its default configuration; OR
- a web page targeting any application reachable through the browser; OR
- a text message and/or a multimedia file delivered through a SMS or MMS.
Each exploit should also be remotely executable without requiring any user interaction, and it should reliably function on iPads and on iPhones 5 and 6.
Eventually, Apple will presumably discover and patch these remote code execution flaws. However, Zerodium will not help the tech giant in that regard, as it plans to release the details of the exploits to only paying customers of its Zerodium Security Research Feed Z-SRF, who can then use them as they see fit.
The security firm is known for paying out as much as $150,000 a week for zero-days. As Forbes reports, these exploits are commonly directed against Internet Explorer, Chrome, Firefox, Flash, Office and Android.